This disclosure relates to a fingerprinting system. More particularly, this disclosure relates to a method and apparatus that is able to identify the number of computers and types of operating systems associated with the computers behind a Network Address Translation (NAT) device in a network.
While this disclosure is particularly directed to analyzing traffic associated with operating systems behind a NAT device and thus will be described with particular reference thereto, it will be appreciated that the disclosure may have usefulness in other fields and applications. For example, this disclosure may be useful in a variety of services that have a need for identifying aspects of computing devices where these aspects may otherwise remain hidden through conventional means.
By way of background, a NAT device is commonly used in Internet Protocol (IP) translation and mapping technology. These devices are often used to allow networks to share internet access among a plurality of devices. However, a NAT device may also be used as an interpreter between two networks even with only one device behind it. NAT devices are used to open a conduit between one computer and a destination computer. The destination computer is commonly accessed through the internet. When the destination computer returns results from a computing device's request, it is passed back through a NAT device. Generally, the NAT device will disguise the computing or computing devices behind it so that the public computer only recognizes the address of the NAT device. In this form, the NAT device appears to be the source of the traffic. Reliably detecting NAT devices can be difficult because they are virtually indistinguishable from the host computers. However, many organizations depend on this hidden demographical information for marketing purposes. Furthermore, disguised computers attack sites because it is less likely that they will be discovered.
The industry has developed methods of fingerprinting the computing systems that are ordinarily hidden behind a NAT device. One of these developments includes Passive Operating System fingerprinting (POS). POS is an open source solution that that only permits a network administrator or user to configure the software which identifies computer systems that visit the site being monitored. This methodology uses a computer system that captures packets targeting a site or servers. The traffic analyzed focuses on certain aspects of IP packets.
Current fingerprinting methods analyze traffic with a focus on Time To Live (TTL), Type of Service (ToS), Don't Fragment (DF) and Maximum Segment Size (MSS) aspects of IP packets. However, current methods in the industry do not focus on aspects such as application layer information and IP details. There is, however, a need in the industry for a network system and method that is able to analyze these aspects. This system and method would allow for packets to be collected at an aggregation point which could in turn lead to information which determines the number of computers behind a NAT device. Furthermore, there is a need in the industry for a system that can collect IP packets and analyze them in a way to form a conclusion (or at minimum, a probability) about which operating systems are being run by host computers. There is also a need in the industry for a system and a method which can attempt fast fingerprinting of the traffic with a more intelligent checking and monitoring system. This system and method would determine a more precise estimation of which operating systems are being run by disguised host computers.
The present disclosure contemplates a new and improved system and method which resolves the above-referenced difficulties and others.